Cellular internet of things battery drain prevention in mobile networks

ABSTRACT

Techniques for cellular Internet of Things (IoT) battery drain prevention in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for cellular IoT battery drain prevention in mobile networks includes monitoring network traffic on a service provider network at a security platform to identify a misbehaving application based on a security policy, wherein the service provider network includes a 4G network or a 5G network; extracting subscription identifier information for network traffic associated with the misbehaving application at the security platform; and enforcing the security policy at the security platform to rate limit paging messages sent to an endpoint device using the subscription identifier information and based on the security policy.

BACKGROUND OF THE INVENTION

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device or a set of devices, or software executedon a device, such as a computer, that provides a firewall function fornetwork access. For example, firewalls can be integrated into operatingsystems of devices (e.g., computers, smart phones, or other types ofnetwork communication capable devices). Firewalls can also be integratedinto or executed as software on computer servers, gateways,network/routing devices (e.g., network routers), or data appliances(e.g., security appliances or other types of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies. Forexample, a firewall can filter inbound traffic by applying a set ofrules or policies. A firewall can also filter outbound traffic byapplying a set of rules or policies. Firewalls can also be capable ofperforming basic routing functions.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1A is a block diagram of a 5G wireless network with a securityplatform deployment for cellular Internet of Things (IoT) battery drainprevention in mobile networks in accordance with some embodiments.

FIG. 1B is another block diagram of a 5G wireless network with asecurity platform deployment for cellular IoT battery drain preventionin mobile networks in accordance with some embodiments.

FIG. 1C is a block diagram of a 4G wireless network with a securityplatform deployment for cellular IoT battery drain prevention in mobilenetworks in accordance with some embodiments.

FIG. 2 is a process architecture diagram of a 5G wireless network with asecurity platform deployment for cellular IoT battery drain preventionin mobile networks in accordance with some embodiments.

FIG. 3 is a functional diagram of hardware components of a networkdevice for cellular IoT battery drain prevention in mobile networks inaccordance with some embodiments.

FIG. 4 is a functional diagram of logical components of a network devicefor cellular IoT battery drain prevention in mobile networks inaccordance with some embodiments.

FIG. 5 is a screenshot diagram of a security policy for performingcellular IoT battery drain prevention in mobile networks in accordancewith some embodiments.

FIG. 6 is a flow diagram of a process for performing cellular IoTbattery drain prevention in mobile networks in accordance with someembodiments.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a composition of matter; a computerprogram product embodied on a computer readable storage medium; and/or aprocessor, such as a processor configured to execute instructions storedon and/or provided by a memory coupled to the processor. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention. Unless stated otherwise, a component such as aprocessor or a memory described as being configured to perform a taskmay be implemented as a general component that is temporarily configuredto perform the task at a given time or a specific component that ismanufactured to perform the task. As used herein, the term ‘processor’refers to one or more devices, circuits, and/or processing coresconfigured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device, a set of devices, or software executedon a device that provides a firewall function for network access. Forexample, a firewall can be integrated into operating systems of devices(e.g., computers, smart phones, or other types of network communicationcapable devices). A firewall can also be integrated into or executed assoftware applications on various types of devices or security devices,such as computer servers, gateways, network/routing devices (e.g.,network routers), or data appliances (e.g., security appliances or othertypes of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies (e.g.,network policies or network security policies). For example, a firewallcan filter inbound traffic by applying a set of rules or policies toprevent unwanted outside traffic from reaching protected devices. Afirewall can also filter outbound traffic by applying a set of rules orpolicies (e.g., allow, block, monitor, notify or log, and/or otheractions can be specified in firewall/security rules or firewall/securitypolicies, which can be triggered based on various criteria, such asdescribed herein). A firewall may also apply anti-virus protection,malware detection/prevention, or intrusion protection by applying a setof rules or policies.

Security devices (e.g., security appliances, security gateways, securityservices, and/or other security devices) can include various securityfunctions (e.g., firewall, anti-malware, intrusion prevention/detection,proxy, and/or other security functions), networking functions (e.g.,routing, Quality of Service (QoS), workload balancing of network relatedresources, and/or other networking functions), and/or other functions.For example, routing functions can be based on source information (e.g.,source IP address and port), destination information (e.g., destinationIP address and port), and protocol information.

A basic packet filtering firewall filters network communication trafficby inspecting individual packets transmitted over a network (e.g.,packet filtering firewalls or first generation firewalls, which arestateless packet filtering firewalls). Stateless packet filteringfirewalls typically inspect the individual packets themselves and applyrules based on the inspected packets (e.g., using a combination of apacket's source and destination address information, protocolinformation, and a port number).

Application firewalls can also perform application layer filtering(e.g., using application layer filtering firewalls or second generationfirewalls, which work on the application level of the TCP/IP stack).Application layer filtering firewalls or application firewalls cangenerally identify certain applications and protocols (e.g., webbrowsing using HyperText Transfer Protocol (HTTP), a Domain Name System(DNS) request, a file transfer using File Transfer Protocol (FTP), andvarious other types of applications and other protocols, such as Telnet,DHCP, TCP, UDP, and TFTP (GSS)). For example, application firewalls canblock unauthorized protocols that attempt to communicate over a standardport (e.g., an unauthorized/out of policy protocol attempting to sneakthrough by using a non-standard port for that protocol can generally beidentified using application firewalls).

Stateful firewalls can also perform stateful-based packet inspection inwhich each packet is examined within the context of a series of packetsassociated with that network transmission's flow of packets/packet flow(e.g., stateful firewalls or third generation firewalls). This firewalltechnique is generally referred to as a stateful packet inspection as itmaintains records of all connections passing through the firewall and isable to determine whether a packet is the start of a new connection, apart of an existing connection, or is an invalid packet. For example,the state of a connection can itself be one of the criteria thattriggers a rule within a policy.

Advanced or next generation firewalls can perform stateless and statefulpacket filtering and application layer filtering as discussed above.Next generation firewalls can also perform additional firewalltechniques. For example, certain newer firewalls sometimes referred toas advanced or next generation firewalls can also identify users andcontent. In particular, certain next generation firewalls are expandingthe list of applications that these firewalls can automatically identifyto thousands of applications. Examples of such next generation firewallsare commercially available from Palo Alto Networks, Inc. (e.g., PaloAlto Networks' PA Series next generation firewalls and Palo AltoNetworks' VM Series virtualized next generation firewalls).

For example, Palo Alto Networks' next generation firewalls enableenterprises and service providers to identify and control applications,users, and content—not just ports, IP addresses, and packets—usingvarious identification technologies, such as the following: App-ID™(e.g., App ID) for accurate application identification, User-ID™ (e.g.,User ID) for user identification (e.g., by user or user group), andContent-ID™ (e.g., Content ID) for real-time content scanning (e.g.,controls web surfing and limits data and file transfers). Theseidentification technologies allow enterprises to securely enableapplication usage using business-relevant concepts, instead of followingthe traditional approach offered by traditional port-blocking firewalls.Also, special purpose hardware for next generation firewallsimplemented, for example, as dedicated appliances generally provideshigher performance levels for application inspection than softwareexecuted on general purpose hardware (e.g., such as security appliancesprovided by Palo Alto Networks, Inc., which utilize dedicated, functionspecific processing that is tightly integrated with a single-passsoftware engine to maximize network throughput while minimizing latencyfor Palo Alto Networks' PA Series next generation firewalls).

Technical and Security Challenges in Today's Mobile Networks for ServiceProviders

In today's service provider network environments, the service providercan typically only implement a static security policy for wirelessdevices communicating over the service provider's wireless network(e.g., the service provider cannot define a security/firewall policy ona per endpoint basis and/or a per flow basis for wireless devicescommunicating over the service provider's wireless network), and anychanges generally require network infrastructure updates.

For example, an increasing number of network connected devices includingInternet of Things (IoT) devices are presenting new technical andsecurity challenges in today's mobile networks for service providers.Generally, energy is an important but limited resource for anelectronics device, such as IoT devices that communicate with mobilenetworks (e.g., 4G and 5G cellular networks). For IoT devices, it isoften desired for the battery of a given IoT device to last for arelatively long period of time (e.g., years or tens of years, such asfor IoT devices that are deployed in many different locations includingremote locations for various applications, including remotesecurity/camera monitoring, agricultural, weather, and/or various otherapplications). In some cases, chatty and/or misbehaving applications cancause unnecessary battery drain for mobile devices including IoT devicesthat communicate with mobile networks. As such, these example technicaland security problems can increase operational costs associated withoperating and managing mobile devices including IoT devices for aservice provider due to recharging and battery replacement activitiesand associated costs.

According to the NGMN Alliance 5G End-to-End Architecture Frameworkdraft requirements, Version 3.0.8, Aug. 28, 2019 (hereinafter referredto as NGMN Alliance 5G End-to-End Architecture Framework, which isavailable athttps://www.ngmn.org/wp-content/uploads/Publications/2019/190916-NGMN_E2EArchFramework_v3.0.8.pdf),battery longevity is a key consideration for some endpoint/userequipment (e.g., “The attributes and capabilities, associated with themare diverse, such as, high-power, low-power, long battery life,low-cost, high performance, latency sensitive, high-reliability,precision sensitive.” NGMN Alliance 5G End-to-End ArchitectureFramework, at page 58). It is also recognized that security attacks cantarget endpoint/user equipment including battery exhaustion attackstargeting IoT devices that run on batteries (e.g., “A possible futurethreat is battery exhaustion attacks against devices—eitherindiscriminately at large scale or targeting individual devices whosedisabling has value to the attacker. This is relevant primarily for IoTdevices that run on batteries and cannot be easily or frequentlyrecharged. If large scale battery exhaustion attacks become asignificant problem, then network-based detection and preventionmeasures, including traffic analysis and management, may be needed. Forindividual devices whose availability is particularly important, defenceagainst battery exhaustion attacks may be best implemented in thedevices themselves.” NGMN Alliance 5G End-to-End Architecture Framework,at page 62).

Thus, technical and security challenges with service provider networksexist for devices in mobile networks. As such, what are needed are newand improved technical and security techniques for devices in suchservice provider network environments (e.g., mobile networks, including4G and 5G cellular networks). Specifically, what are needed are new andimproved solutions for monitoring service provider network traffic andapplying security policies (e.g., firewall policies) for devicescommunicating on service provider networks to address these new andevolving technical and security challenges on mobile networks.

Overview of Techniques for Cellular Internet of Things (IoT) BatteryDrain Prevention in Mobile Networks

Various techniques for enhanced security platforms (e.g., a firewall(FW)/Next Generation Firewall (NGFW), a network sensor acting on behalfof the firewall, or another device/component that can implement securitypolicies using the disclosed techniques) within service provider networkenvironments are disclosed. Specifically, various system architecturesfor implementing and various processes for providing security platformswithin service provider network environments that can enhance securityand performance for endpoint/user equipment in mobile networks forservice providers, such as for 4G and 5G cellular networks, aredisclosed. More specifically, various system architectures forimplementing and various processes for providing security platformswithin service provider network environments for cellular IoT batterydrain prevention in mobile networks for service providers, such as for4G and 5G cellular networks, are disclosed.

Accordingly, various techniques for cellular Internet of Things (IoT)battery drain prevention in mobile networks (e.g., service providernetworks for mobile subscribers) are disclosed. In some embodiments, asystem/process/computer program product for cellular IoT battery drainprevention in mobile networks includes monitoring network traffic on aservice provider network at a security platform to identify amisbehaving application based on a security policy, wherein the serviceprovider network includes a 4G network or a 5G network; extractingsubscription identifier information (e.g., International MobileSubscription Identity (IMSI) related information) for network trafficassociated with the misbehaving application at the security platform;and enforcing the security policy at the security platform to rate limitpaging messages sent to an endpoint device (e.g., a cellular Internet ofThings (IoT) device(s)) using the subscription identifier informationand based on the security policy.

In one embodiment, the security platform is configured with a pluralityof security policies for each of a plurality of misbehavingapplications.

In one embodiment, the security platform parses Packet ForwardingControl Protocol (PFCP) Session Establishment Request and PFCP SessionEstablishment Response messages to extract the subscription identifierinformation, and wherein the subscription identifier information isidentified by International Mobile Subscription Identity (IMSI) relatedinformation.

In one embodiment, the security platform monitors wireless interfacesincluding a plurality of interfaces for a control protocol and user datatraffic in a mobile core network for a 4G network.

In one embodiment, the security platform monitors wireless interfacesincluding a plurality of interfaces for a control protocol and user datatraffic in a mobile core network for a 5G network.

In one embodiment, the security platform is configured to perform afirewall service using the subscription identifier information.

In one embodiment, a system/process/computer program product forcellular IoT battery drain prevention in mobile networks furtherincludes capturing a traffic log for the detected misbehavingapplication sending paging messages based on the security policy or asecurity profile (e.g., a vulnerability profile, such as furtherdescribed below).

In one embodiment, a system/process/computer program product forcellular IoT battery drain prevention in mobile networks furtherincludes sending the traffic log and an associated International MobileSubscriber Identity (IMSI) to a server/data store (e.g., an externalserver/data store); and correlating the IMSI to, for example, aTemporary Mobile Subscriber Identity (TMSI) in 4G networks and to a5G-S-TMSI in 5G networks.

In one embodiment, a system/process/computer program product forcellular IoT battery drain prevention in mobile networks furtherincludes sending the correlated TMSI/5G-S-TMSI to the security platformin a message (e.g., in a syslog message that includes the TMSI or5G-S-TMSI information to the same security platform and/or a differentsecurity platform(s)).

In one embodiment, a system/process/computer program product forcellular IoT battery drain prevention in mobile networks furtherincludes parsing the message (e.g., syslog message) to extract theTMSI/5G-S-TMSI as a User-ID parameter for performing security policyenforcement using the security platform (e.g., to facilitate ratelimiting (e.g., throttling) of paging messages using the correlatedTMSI/5G-S-TMSI (e.g., the security policy can be enforced by thesecurity platform using this User-ID to enforce a configured thresholdfor rate limit paging messages to a cellular IoT device perTMSI/5G-S-TMSI)).

As an example use case scenario, an attacker may attempt to attackendpoint/mobile devices (e.g., IoT devices) by sending messages (e.g.,paging messages, which can generally be used for sending network data toendpoint/user equipment, over various protocols for 4G networks and overthe Next Generation Access Protocol (NGAP) over the Stream ControlTransmission (SCTP) protocol for 5G networks) to drain batteries of suchtargeted endpoint/mobile devices (e.g., IoT devices).

In an example implementation, rate limiting of paging messages perapplication which are sent via mobile networks to endpoint/userequipment (e.g., cellular IoT devices with any form of SubscriberIdentity Module (SIM) card) is performed. In this example, the securityplatform deployed for monitoring network traffic on a mobile network canidentify a chatty and/or misbehaving application (e.g., also referred tosimply as a misbehaving application, in which an application can bedetermined to be misbehaving based on a security policy configurationand/or dynamic profile, such as using heuristic-based techniques and/ormachine learning techniques (MLT), such as further described below). Thenetwork traffic associated with the misbehaving application can then becaptured in a traffic log along with the International Mobile SubscriberIdentity (IMSI) using the security platform.

In this example implementation, the following operations can beperformed to facilitate rate limiting of paging messages per applicationwhich are sent via mobile networks to endpoint/user equipment: (1)monitor network traffic at a security platform (e.g., deployed on theaccess side of a mobile network to throttle/rate limit signalingmessages sent to IoT devices with chatty/misbehaving applications) foran application sending paging messages based on a security policy or asecurity profile (e.g., a vulnerability profile, such as furtherdescribed below) to identify a misbehaving application (e.g., anapplication can be determined to be misbehaving based on a securitypolicy configuration and/or dynamic profile, such as usingheuristic-based techniques and/or machine learning techniques (MLT),such as further described below); (2) capture a traffic log for thedetected application sending paging messages based on the securitypolicy or the security profile application; (3) send traffic log and anassociated International Mobile Subscriber Identity (IMSI) to aserver/data store (e.g., an external server/data store); (4) correlatethe IMSI to, for example, a Temporary Mobile Subscriber Identity (TMSI)in 4G networks and to a 5G-S-TMSI in 5G networks; (5) send thecorrelated TMSI/5G-S-TMSI to the security platform in a message (e.g.,in a syslog message that includes the TMSI or 5G-S-TMSI information tothe same security platform and/or a different security platform(s)); (6)the security platform parses the message and extracts the TMSI/5G-S-TMSIas a User-ID parameter for performing security policy enforcement; and(7) perform a rate limiting (e.g., throttling) of paging messages usingthe correlated TMSI/5G-S-TMSI (e.g., the security policy can be enforcedby the security platform using this User-ID to enforce a configuredthreshold for rate limit paging messages to a cellular IoT device perTMSI/5G-S-TMSI). As an example, the security policy can be configured tolimit to one paging message per day, one paging message per week for agiven IoT device, and/or some other configured limit value per aspecified time period for such paging messages per such endpoint/userequipment.

The misbehaving application can be detected based on a user definedsecurity policy and/or dynamically defined based on a security profilesuch as a vulnerability profile to rate limit paging messages to, forexample, a cellular IoT device per TMSI/5G-S-TMSI. For example, securitypolicies can be configured to specify/define the application and ratelimiting configurations, and when traffic from this application isdetected, then a 5-Tuple (Source/Destination Port, Source/DestinationIP, etc. and IMSI) can be extracted using the security platform (e.g., afirewall device or another network device, which can perform ratelimiting paging messages over the mobile network, such as a 4G or 5Gcellular network), such as will be further described below.

Example IoT devices (e.g., Cellular IoT (CIoT) devices) that can benefitfrom the disclosed battery drain prevention techniques include, but arenot limited to, the following: smart logistics, smart farming, smartparking, smart traffic management, smart environment, and smartwearables.

These and other embodiments and examples for providing for cellular IoTbattery drain prevention in mobile networks will be further describedbelow.

Example System/Process Architectures for Cellular IoT Battery DrainPrevention in Mobile Networks for Service Providers

Generally, 5G is the 5^(th) generation of the mobile communicationssystem. The 3rd Generation Partnership Project (3GPP) includes seventelecommunications standard development organizations (ARIB, ATIS, CCSA,ETSI, TSDSI, TTA, and TTC). The project covers cellulartelecommunications network technologies, including radio access, thecore transport network, and service capabilities. The specificationsalso provide hooks for non-radio access to the core network and forinterworking with Wi-Fi networks, and other organizations including ITU,IETF, and ETSI are developing 5G standards. Some of the improvements ofthe new 5G network standards include, for example, low latency (e.g.,approximately less than 10 milliseconds (MS)), high throughput (e.g.,multi-Gbps), distribution, network function virtualizationinfrastructure, as well as orchestration, analytics, and automation.

The 5G architecture is defined in 3GPP TS 23.501 v16.2.0 (e.g.,available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3144)as service-based, and the interaction between Network Functions (NFs) isrepresented in two ways: (1) service-based representation, where NFswithin the Control Plane (CP) enable other authorized network functionsto access their services; and (2) reference point representation, whichfocuses on the interactions between pairs of NFs defined bypoint-to-point reference points between any two network functions.

In the 5G architecture, the User Plane Protocol stack between the accessnetwork and the core over the backbone network over the N3 interface(e.g., between a Radio Access Network (RAN) and a UPF element) will bebased on the GPRS Tunnel Protocol User Plane (GTP-U) over UDP protocol(e.g., such as shown in FIGS. 1A-B as further described below), and alsoover the N4 interface (e.g., between a UPF element and SMF element) willbe based on the Packet Forwarding Control Protocol (PFCP) over UDPprotocol (e.g., such as shown in FIGS. 1A-B as further described below).The Control Plane NFs in the 5G system architecture shall be based onthe service-based architecture. HTTP/2 will be the protocol used overservice-based interfaces. A new 5G Access Network protocol will be basedover Stream Control Transmission Protocol (SCTP).

Accordingly, in some embodiments, the disclosed techniques includeproviding a security platform (e.g., PANOS executing on an NGFWavailable from Palo Alto Networks, Inc. or another securityplatform/NFGW) configured to provide DPI capabilities (e.g., includingstateful inspection) of, for example, GTP-U sessions and new HTTP/2based TCP sessions that facilitate a correlation between monitored GTP-Utunnel sessions and new HTTP/2 based TCP sessions as further describedbelow, and as another example, correlation between monitored GTP-Utunnels (e.g., on the N3 interface) and PFCP sessions (e.g., on the N4interface) as further described below.

In some embodiments, a security platform (e.g., PANOS executing on anNGFW available from Palo Alto Networks, Inc. or another securityplatform/NFGW) is configured to provide the following DPI capabilities:stateful inspection of N3 GTP-U tunnels and/or N4 GTP-U tunnels; contentinspection of N3 GTP-U tunnels (e.g., to inspect content of inner IPsessions of N3 GTP-U tunnels) and/or N4 PFCP sessions (e.g., to inspectcontent of N4 PFCP sessions); support for 3GPP Technical Specification(TS) 29.274 Version 16.1.0 (e.g., and later releases, available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1692)for Procedures for the 5G system to support 5G cellular technology; andsupport for 3GPP Technical Specification (TS) 29.281 Version 15.6.0(e.g., and later releases, available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1699)for GTP-U protocol.

FIG. 1A is a block diagram of a 5G wireless network with a securityplatform deployment for cellular Internet of Things (IoT) battery drainprevention in mobile networks in accordance with some embodiments. FIG.1A is an example service provider network environment for a 5G networkarchitecture that includes a Security Platform 102 in a ControlPlane/signaling Network (e.g., the security platforms can be implementedusing a firewall (FW)/Next Generation Firewall (NGFW), a network sensoracting on behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) forproviding cellular IoT battery drain prevention in mobile networks asfurther described below. As shown, the 5G network can also includeFixed/Wired access as shown at 104, Non-3GPP access such as Wi-Fi Accessas shown at 106, 5G Radio Access Network (RAN) access as shown at 108,4G RAN access as shown at 110, and/or other networks (not shown) tofacilitate data communications for subscribers (e.g., using UserEquipment (UE), such as smart phones, laptops, computers (which may bein a fixed location), and/or other cellular enabled computingdevices/equipment, such as IoT/CIoT devices, or other networkcommunication enabled devices) including over a Data Network (e.g., theInternet) 120 to access various applications, web services, contenthosts, etc. and/or other networks (not shown). As shown, each of the 5Gnetwork access mechanisms 104, 106, 108, and 110 are in communicationwith 5G User Plane Functions (UPF) 114, which pass through SecurityPlatform 102 via a Switch 116. As also shown, each of the 5G networkaccess mechanisms 104, 106, 108, and 110 are in communication with 5GAccess and Mobility Management Function (AMF) 112 and 5G CoreControl/Signaling Session Management Function (SMF) 118.

Referring to FIG. 1A, network traffic communications are monitored usingSecurity Platform 102. For example, Security Platform 102 can monitor 5Gcore/control signaling network traffic communications to facilitate thedisclosed techniques, such as for providing cellular IoT battery drainprevention in mobile networks (e.g., including a correlation betweenmonitored GTP-U tunnel sessions and new HTTP/2 based TCP sessions) asfurther described below. As shown, network traffic communications aremonitored/filtered in the 5G network using Security Platform 102 (e.g.,(virtual) devices/appliances that each include a firewall (FW), anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below. In addition, Security Platform102 can also be in network communication with a Cloud Security Service122 (e.g., a commercially available cloud-based security service, suchas the WildFire™ cloud-based malware analysis environment that is acommercially available cloud security service provided by Palo AltoNetworks, Inc., which includes automated security analysis of malwaresamples as well as security expert analysis, or a similar solutionprovided by another vendor can be utilized), such as via the Internet.For example, Cloud Security Service 122 can be utilized to provide theSecurity Platforms with dynamic prevention signatures for malware (e.g.,misbehaving applications that can cause unnecessary battery drain ofIoT/CIoT devices), DNS, URLs, CNC malware, and/or other malware as wellas to receive malware samples for further security analysis. As will nowbe apparent, network traffic communications can be monitored/filteredusing one or more security platforms for network traffic communicationsin various locations within the 5G network to facilitate cellular IoTbattery drain prevention in mobile networks as described herein withrespect to various embodiments.

In an example implementation, Security Platform 102 can perform networkmonitoring over an N2 interface between a Next Generation (NG) RadioAccess Network (RAN) (108) and an AMF (112) of a Next Generation AccessProtocol (NGAP) over a Stream Control Transmission Protocol (SCTP) onthe N2 interface as shown. Security Platform 102 can also performnetwork monitoring over an N11 interface between an AMF (112) and an SMF(118) of an HTTP/2 protocol over a Transmission Control Protocol (TCP)on the N11 interface as shown. Security Platform 102 can also performnetwork monitoring over an N3 interface between a RAN (108) and a UPF(114) of a GPRS Tunneling Protocol (GTP-U) over a User Datagram Protocol(UDP) on the N3 interface as shown.

FIG. 1B is another block diagram of a 5G wireless network with asecurity platform deployment for cellular IoT battery drain preventionin mobile networks in accordance with some embodiments. FIG. 1B isanother example service provider network environment for a 5G networkarchitecture that includes a Security Platform 102 in a ControlPlane/signaling Network (e.g., the security platforms can be implementedusing a firewall (FW)/Next Generation Firewall (NGFW), a network sensoracting on behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) forproviding cellular IoT battery drain prevention in mobile networks asfurther described below. As shown, the 5G network can also includeFixed/Wired access as shown at 104, Non-3GPP access such as Wi-Fi Accessas shown at 106, 5G Radio Access Network (RAN) access as shown at 108,4G RAN access as shown at 110, and/or other networks (not shown) tofacilitate data communications for subscribers (e.g., using UserEquipment (UE), such as smart phones, laptops, computers (which may bein a fixed location), and/or other cellular enabled computingdevices/equipment, such as IoT/CIoT devices, or other networkcommunication enabled devices) including over a Data Network (e.g., theInternet) 120 to access various applications, web services, contenthosts, etc. and/or other networks (not shown). As shown, each of the 5Gnetwork access mechanisms 104, 106, 108, and 110 are in communicationwith 5G User Plane Functions (UPF) 114, which pass through SecurityPlatform 102 via a Switch 116. As also shown, each of the 5G networkaccess mechanisms 104, 106, 108, and 110 are in communication with 5GAccess and Mobility Management Function (AMF) 112 and 5G CoreControl/Signaling Session Management Function (SMF) 118.

Referring to FIG. 1B, network traffic communications are monitored usingSecurity Platform 102. For example, Security Platform 102 can monitor 5Gcore/control signaling network traffic communications to facilitate thedisclosed techniques, such as for providing cellular IoT battery drainprevention in mobile networks (e.g., including a correlation betweenmonitored GTP-U tunnel sessions and new HTTP/2 based TCP sessions) asfurther described below. As shown, network traffic communications aremonitored/filtered in the 5G network using Security Platform 102 (e.g.,(virtual) devices/appliances that each include a firewall (FW), anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below. In addition, Security Platform102 can also be in network communication with a Cloud Security Service122 (e.g., a commercially available cloud-based security service, suchas the WildFire™ cloud-based malware analysis environment that is acommercially available cloud security service provided by Palo AltoNetworks, Inc., which includes automated security analysis of malwaresamples as well as security expert analysis, or a similar solutionprovided by another vendor can be utilized), such as via the Internet.For example, Cloud Security Service 122 can be utilized to provide theSecurity Platforms with dynamic prevention signatures for malware (e.g.,misbehaving applications that can cause unnecessary battery drain ofIoT/CIoT devices), DNS, URLs, CNC malware, and/or other malware as wellas to receive malware samples for further security analysis. As will nowbe apparent, network traffic communications can be monitored/filteredusing one or more security platforms for network traffic communicationsin various locations within the 5G network to facilitate cellular IoTbattery drain prevention in mobile networks as described herein withrespect to various embodiments.

In an example implementation, Security Platform 102 can perform networkmonitoring over an N2 interface between a Next Generation (NG) RadioAccess Network (RAN) (108) and AMF (112) of a Next Generation AccessProtocol (NGAP) over a Stream Control Transmission Protocol (SCTP)protocol on the N2 interface as shown. Security Platform 102 can alsoperform network monitoring over an N4 interface between an SMF (118) anda UPF (114) of a Packet Forwarding Control Protocol (PFCP) over a UserDatagram Protocol (UDP) on the N4 interface as shown. Security Platform102 can also perform network monitoring over an N3 interface between aRAN (108) and a UPF (114) of a GPRS Tunneling Protocol (GTP-U) over aUser Datagram Protocol (UDP) on the N3 interface as shown.

In an example implementation, based on the security platform deploymenttopology described above, such as similarly described above with respectto FIGS. 1A-B, the subscription identifiers can be extracted as furtherdescribed below. A PFCP Session Establishment Request is sent over an N4interface by the control plane (CP) function (e.g., 5G corecontrol/signaling function, such as shown in FIG. 1B) to establish a newPFCP session context in a user plane (UP) function (UPF) (e.g., 5G userplane function, such as shown in FIG. 1B). This message can includeoptional information element (IE) ‘user ID’ (e.g., the ‘user ID’ IE canbe included in an N4 session establishment request), which may bepresent based on an operator policy (e.g., and based on the 3GPP TS29.244 V16.1 specification, it shall be only sent if the UP function islocated in a trusted environment). The ‘user ID’ IE can include thefollowing information/parameters: International Mobile SubscriptionIdentity (IMSI) (e.g., IMSI is unique not more than 15 digits whichshall be allocated to each mobile subscriber as specified in 3GPP TS23.003).

In one embodiment, the security platform parses Packet ForwardingControl Protocol (PFCP) Session Establishment Request and PFCP SessionEstablishment Response messages to extract the subscription identifierinformation, and wherein the subscription identifier information isidentified by an International Mobile Subscription Identity (IMSI). Forexample, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as N4session establishment related traffic (e.g., including PFCP sessions),to extract information exchanged in the N4 session establishment relatedtraffic (e.g., parameters, such as described above and further describedbelow) as well as to monitor tunneled user traffic in service providernetworks (e.g., using DPI, such as described above and further describedbelow) for use in applying a security policy based on this extractedinformation and/or in combination with DPI for facilitating cellular IoTbattery drain prevention in mobile networks, such as further describedbelow.

FIG. 1C is a block diagram of a 4G wireless network with a securityplatform deployment for cellular IoT battery drain prevention in mobilenetworks in accordance with some embodiments. FIG. 1C is an exampleservice provider network environment for a 4G network architecture thatincludes a Security Platform 102 in a Control Plane/signaling Network(e.g., the security platforms can be implemented using a firewall(FW)/Next Generation Firewall (NGFW), a network sensor acting on behalfof the firewall, or another device/component that can implement securitypolicies using the disclosed techniques) for providing cellular IoTbattery drain prevention in mobile networks as further described below.As shown, the 4G network can also include 4G RAN access as shown at 110a-d, as well as other types of network access including Fixed/Wiredaccess (not shown), Non-3GPP access such as Wi-Fi Access (not shown),and/or other networks (not shown) to facilitate data communications forsubscribers (e.g., using User Equipment (UE), such as smart phones,laptops, computers (which may be in a fixed location), and/or othercellular enabled computing devices/equipment, such as IoT/CIoT devices,or other network communication enabled devices) including over a DataNetwork (e.g., the Internet) 120 to access various applications, webservices, content hosts, etc. and/or other networks (not shown). Asshown, each of the 4G network access mechanisms 110 a-d are incommunication with Serving Gateway (SGW) 124, which pass throughSecurity Platform 102 via a Switch 116. As also shown, each of the 4Gnetwork access mechanisms 110 a-d are in communication with a MobilityManagement Entity (MME) 112.

Referring to FIG. 1C, network traffic communications are monitored usingSecurity Platform 102. For example, Security Platform 102 can monitor 4Gcore/control signaling network traffic communications to facilitate thedisclosed techniques, such as for providing cellular IoT battery drainprevention in mobile networks as further described below. As shown,network traffic communications are monitored/filtered in the 4G networkusing Security Platform 102 (e.g., (virtual) devices/appliances thateach include a firewall (FW), a network sensor acting on behalf of thefirewall, or another device/component that can implement securitypolicies using the disclosed techniques) configured to perform thedisclosed security techniques as further described below. In addition,Security Platform 102 can also be in network communication with a CloudSecurity Service 122 (e.g., a commercially available cloud-basedsecurity service, such as the WildFire™ cloud-based malware analysisenvironment that is a commercially available cloud security serviceprovided by Palo Alto Networks, Inc., which includes automated securityanalysis of malware samples as well as security expert analysis, or asimilar solution provided by another vendor can be utilized), such asvia the Internet. For example, Cloud Security Service 122 can beutilized to provide the Security Platforms with dynamic preventionsignatures for malware (e.g., misbehaving applications that can causeunnecessary battery drain of IoT/CIoT devices), DNS, URLs, CNC malware,and/or other malware as well as to receive malware samples for furthersecurity analysis. As will now be apparent, network trafficcommunications can be monitored/filtered using one or more securityplatforms for network traffic communications in various locations withinthe 4G network to facilitate cellular IoT battery drain prevention inmobile networks as described herein with respect to various embodiments.

In an example implementation, Security Platform 102 can perform networkmonitoring over an S1 interface between a 4G Radio Access Network (RAN)(110 a-d) and an MME (112) of s1 Access Protocol (S1AP) over a StreamControl Transmission Protocol (SCTP) on the S1 interface as shown.Security Platform 102 can also perform network monitoring over an S11interface between an MME (112) and an SGW (124) of a GPRS TunnelingProtocol Version 2 for Control Plane (GTPv2-C) over a User DatagramProtocol (UDP) on the S11 interface as shown. Security Platform 102 canalso perform network monitoring over an S1-U interface between a 4GRadio Access Network (RAN) (110 a-d) and an SGW (124) of a GPRSTunneling Protocol (GTP-U) over a User Datagram Protocol (UDP) on theS1-U interface as shown.

In an example implementation, the security platform is configured tomonitor the respective interfaces of the switch, MME, and SGW as shownin FIG. 1C to monitor control/signaling traffic (e.g., GTP-C messages)and tunneled user traffic (GTP-U) to implement a security platform withGTP monitoring capabilities that implements security policies, which canuse, for example, parameters, such as location information associatedwith the subscriber/mobile device, device ID/IMEI, subscriberinformation/IMSI, and/or RAT, and/or any other parameters/informationthat can be extracted from control/signaling traffic (e.g., GTP-Cmessages) as well as performing DPI for IP packets inside the tunnel, asfurther described below. As described above, the subscriber identity(e.g., IMSI) can be extracted from the Create Session Request message bythe security platform, which can be stored (e.g., cached as associatedwith the IP flow) for use in applying a security policy based on thisextracted information and/or in combination with DPI, such as furtherdescribed below.

Specifically, a Create Session Request message sent from the MME to theSGW can be monitored using the security platform, such as shown in FIG.1C. The Create Session Request message is a message to allocate acontrol and data channel for a new network communication access requestfor a mobile device in a 4G/LTE network (e.g., to be provided with atunnel for user IP packets for network communications over a mobileservice provider's network). For example, the GTP Create Session Requestmessage can include location, hardware identity (e.g., IMEI), subscriberidentity (e.g., IMSI), and/or radio access technology (RAT) informationin the new network communication access request for the mobile device.

In one embodiment, the security platform monitors GTP-C messages betweenthe MME and SGW as shown (e.g., and, in some cases between the MME, SGW,and Packet Data Network Gateway (PGW) (not shown)) to extract certaininformation included within GTP-C messages based on a security policy(e.g., monitoring GTPv2-C messages using a pass through firewall/NGFWthat is located between the MME, SGW, and/or PGW or using afirewall/NGFW implemented as VM instances or agents executed on the MME,SGW, and/or PGW, and/or other entities in the mobile core network). Forexample, the security platform can monitor GTP-C messages and extractthe subscriber identity (e.g., IMSI), and/or other information from theCreate Session Request message, such as further described below.

Thus, these and various other example network architectures can utilizethe disclosed security techniques for 4G and 5G mobile networkenvironments in which one or more security platforms can be provided toperform traffic monitoring and filtering to provide new and enhanced 5Grelated security techniques, including for cellular IoT battery drainprevention in mobile networks for service providers based on signalingand DPI information as further described below. As will now be apparentto one of ordinary skill in the art in view of the disclosedembodiments, one or more security platforms can similarly be provided invarious other locations within these network architectures (e.g., aninline, pass-through NGFW, such as shown by Security Platforms as shownin FIGS. 1A-C, and/or implemented as agents or virtual machine (VM)instances, which can be executed on existing devices in the serviceprovider's network, such as entities within the 4G/5G User PlaneFunctions and/or within the 4G/5G Core Control/Signaling Functions asshown in FIGS. 1A-C) and in various wireless network environments toperform the disclosed security techniques as further described below.

FIG. 2 is a process architecture diagram of a 5G wireless network with asecurity platform deployment for cellular IoT battery drain preventionin mobile networks in accordance with some embodiments. Referring toFIG. 2, a Network/Security Administrator (Admin) 200 configures asecurity policy or a security profile for a Security Platform 202 a(e.g., deployed on the access side of a mobile network to throttle/ratelimit signaling messages sent to IoT/CIoT devices withchatty/misbehaving applications) to facilitate rate limiting of pagingmessages per application which are sent via mobile networks toendpoint/user equipment using the disclosed techniques as furtherdescribed below.

As shown, Security Platform 202 a monitors network traffic for anapplication sending paging messages based on a security policy or asecurity profile (e.g., a vulnerability profile, such as furtherdescribed below) to identify a misbehaving application (e.g., anapplication can be determined to be misbehaving based on a securitypolicy configuration as configured by the Network/Security Admin and/ordynamic profile, such as using heuristic-based techniques and/or machinelearning techniques (MLT), such as further described below).

In an example implementation, Security Platform 202 a captures a trafficlog for the detected application sending paging messages based on thesecurity policy or the security profile application along with anassociated International Mobile Subscriber Identity (IMSI) toeffectively populate a misbehaving application along with IMSI in thetraffic log as similarly described above. As shown at 204, SecurityPlatform 202 a forwards the traffic log to a Database Server 206 (e.g.,an external server/data store).

As shown, Database Server 206 correlates the IMSI to, for example, aTemporary Mobile Subscriber Identity (TMSI) in 4G networks and to a5G-S-TMSI in 5G networks. Database Server 206 then sends the correlatedTMSI/5G-S-TMSI to the security platform in a Syslog Message 208 thatincludes the TMSI or 5G-S-TMSI information to the same security platformand/or a different security platform(s) as shown at 202 b. The TMSI isstored along with the IMSI in the network. In an example 4G mobilenetwork environment, the MME is configured to be capable of correlatingan allocated TMSI with the IMSI. In an example 5G mobile networkenvironment, the AMF is configured to be capable of correlating anallocated 5G-S-TMSI with the IMSI/SUPI. In an example implementation,the external server can be configured to include a correlation mechanismwith IMSI, TMSI/5G-S-TMSI databases or can perform a query of the MMEand/or AMF to obtain such information for performing the correlationoperations.

Security Platform 202 b parses Syslog Message 208 and extracts theTMSI/5G-S-TMSI as a User-ID parameter for performing security policyenforcement. For example, Security Platform 202 b enforces a securitypolicy to perform a rate limiting (e.g., throttling) of paging messagesusing the correlated TMSI/5G-S-TMSI (e.g., the security policy can beenforced by the security platform using this User-ID to enforce aconfigured threshold for rate limit paging messages to a cellular IoTdevice per TMSI/5G-S-TMSI). For instance, the security policy can beconfigured to be limited to one paging message per day, one pagingmessage per week for a given IoT device, and/or some other configuredlimit value per a specified time period for such paging messages persuch endpoint/user equipment. As another example, Security Platform 202b enforces a security profile, such as a vulnerability profile, whichcan be updated to similarly perform a rate limiting (e.g., throttling)of paging messages using the correlated TMSI/5G-S-TMSI.

As such, the misbehaving application can be detected based on a userdefined security policy and/or dynamically defined based on a securityprofile such as a vulnerability profile to rate limit paging messagesto, for example, a cellular IoT device per TMSI/5G-S-TMSI. For example,security policies can be configured to specify/define the applicationand rate limiting configurations, and when traffic from this applicationis detected, then a 5-Tuple (Source/Destination Port, Source/DestinationIP, etc. and IMSI) can be extracted using the security platform (e.g., afirewall device or another network device, which can perform ratelimiting paging messages over the mobile network, such as a 4G or 5Gcellular network).

Example Use Cases of Enhanced Security for 5G Networks for Service

Providers

The disclosed techniques for providing enhanced security for 5Gmobile/service provider networks using a security platform for securitypolicy enforcement can be applied in a variety of additional example usecase scenarios for facilitating enhanced and more flexible and dynamicsecurity for 5G mobile/service provider network environments includingfor cellular IoT battery drain prevention in mobile networks. Additionalexample use case scenarios will be further described below.

As a first example use case scenario, assume that mobile and convergednetwork operators are offering wireless IoT technologies (e.g., CIoTdevices) including Narrowband IoT (NB-IoT) and LTE-M to IoT/M2Mcustomers, such as utilities (e.g., gas, water, electric, etc.), watermeter management companies, fleet tracking companies, and/or other typesof customers. Most of the CIoT devices do not have compute capabilitiesand resources to provide security functionality and typically are notsecurely coded. As a result, this creates an opportunity for mobile andconverged network operators to offer network-based security services tothese customers that can be provided using the disclosed techniques forenhanced security for CIoT in mobile/service provider networks using asecurity platform for security policy enforcement (e.g., usinginspection and security capabilities on an N3 and interface as describedherein).

As a second example use case scenario, assume that mobile and convergednetwork operators are offering wireless IoT technologies (e.g., CIoTdevices) including Narrowband IoT (NB-IoT) and LTE-M to IoT/M2Mcustomers, such as utilities (e.g., gas, water, electric, etc.), watermeter management companies, fleet tracking companies, and/or other typesof customers. Most of the CIoT devices do not have compute capabilitiesand resources to provide security functionality and typically are notsecurely coded. As a result, this can lead to CIoT device initiatedattacks on the mobile network to which they are connected (e.g., and MECsystem). As similarly described herein, the disclosed techniques forenhanced security for CIoT in mobile/service provider networks using asecurity platform for security policy enforcement including inspectionand security capabilities on an S11-U interface can be performed toprotect the critical network elements of mobile networks from attackingCIoT devices.

Examples of IoT Threats

As an example of such an IoT threat scenario, an attacker may attempt toattack endpoint/mobile devices (e.g., IoT devices) by sending messages(e.g., paging messages, which can generally be used for sending networkdata to endpoint/user equipment, over various protocols for 4G networksand over the Next Generation Access Protocol (NGAP) over the StreamControl Transmission (SCTP) protocol for 5G networks) to drain batteriesof such targeted endpoint/mobile devices (e.g., IoT devices).

As an example, an Android VoIP application popular in Japan usedfrequent keep-alive messages even when the users were idle, causing asignaling overload and a major outage in the mobile network (see Gorbilet al., Storms in Mobile Networks, IEEE Transactions on Emerging Topics,Vol. XX, No. X, 2015, available at https://arxiv.org/pdf/1411.1280.pdf).

As an example of misbehaving applications that can cause pagingsignaling storms and outage in mobile networks, 5G is challenged bybroadband requirements such as video streaming and the Internet ofThings (IoT) that often require low signaling overhead and quality ofservice (QoS) with higher traffic volume and bandwidths. However, themobile network control plane can be attacked by short and frequentcommunications that take advantage of vulnerabilities in signaling suchas paging, service requests, and radio resource control (RRC). Suchattacks can compromise a large number of mobile devices, or can target alist of mobiles by carefully timing the transmissions. Furthermore,signaling storms can be the result of malfunctioning apps thatrepeatedly establish and tear-down data connections with a seriouseffect on the Quality of Service (QoS) of the network control plane (seeGelenbe et al., Detection and mitigation of signaling storms in mobilenetwork, 2016 International Conference on Computing, Networking andCommunications (ICNC), available athttps://ieeexplore.ieee.org/abstract/document/7440686).

As an example of the potential impact of signaling storms in the mobilenetworks, misbehaving applications can cause paging signaling storms andoutage in mobile networks (see J. Senor, H. Zang, J. C. Bolot, “Impactof paging channel overloads or attacks on a cellular network”, Proc. 5thACM Workshop Wireless Security (WiSe'06), pp. 75-84, September 2006).

As will now be apparent in view of the disclosed embodiments, a networkservice provider/mobile operator (e.g., a cellular service providerentity), a device manufacturer (e.g., a CIoT device entity and/or otherdevice manufacturer of such CIoT devices, such as smart logistics, smartfarming, smart parking, smart traffic management, smart environment,smart wearables, and/or other types of CIoT devices), and/or systemintegrators can specify such security policies that can be enforced by asecurity platform using the disclosed techniques to solve these andother technical network security challenges, including technical networksecurity challenges for cellular IoT battery drain prevention inmobile/service provider network environments.

Example Hardware Components of a Network Device Cellular IoT BatteryDrain Prevention in Mobile Networks for Service Providers

FIG. 3 is a functional diagram of hardware components of a networkdevice for cellular IoT battery drain prevention in mobile networks inaccordance with some embodiments. The example shown is a representationof physical/hardware components that can be included in network device300 (e.g., an appliance, gateway, or server that can implement thesecurity platform disclosed herein). Specifically, network device 300includes a high performance multi-core CPU 302 and RAM 304. Networkdevice 300 also includes a storage 310 (e.g., one or more hard disks orsolid state storage units), which can be used to store policy and otherconfiguration information as well as signatures. In one embodiment,storage 310 stores a traffic log for a misbehaving application, IMSI,TMSI/5G-S-TMSI (e.g., associated with a User-ID as similarly describedabove), and associated IP addresses/port numbers and possibly otherinformation (e.g., Application-ID, Content-ID, User-ID, URL, and/orother information) that are monitored for implementing the disclosedsecurity policy enforcement techniques using a securityplatform/firewall device. Network device 300 can also include one ormore optional hardware accelerators. For example, network device 300 caninclude a cryptographic engine 306 configured to perform encryption anddecryption operations, and one or more FPGAs 308 configured to performsignature matching, act as network processors, and/or perform othertasks.

Example Logical Components of a Network Device Cellular IoT BatteryDrain Prevention in Mobile Networks for Service Providers

FIG. 4 is a functional diagram of logical components of a network devicefor cellular IoT battery drain prevention in mobile networks inaccordance with some embodiments. The example shown is a representationof logical components that can be included in network device 400 (e.g.,a data appliance, which can implement the disclosed security platformand perform the disclosed techniques). As shown, network device 400includes a management plane 402 and a data plane 404. In one embodiment,the management plane is responsible for managing user interactions, suchas by providing a user interface for configuring policies and viewinglog data. The data plane is responsible for managing data, such as byperforming packet processing and session handling.

Suppose a mobile device attempts to access a resource (e.g., a remoteweb site/server, an IoT device such as a CIoT device, or anotherresource) using an encrypted session protocol, such as SSL. Networkprocessor 406 is configured to monitor packets from the mobile device,and provide the packets to data plane 404 for processing. Flow 408identifies the packets as being part of a new session and creates a newsession flow. Subsequent packets will be identified as belonging to thesession based on a flow lookup. If applicable, SSL decryption is appliedby SSL decryption engine 410 using various techniques as describedherein. Otherwise, processing by SSL decryption engine 410 is omitted.Application identification (APP ID) module 412 is configured todetermine what type of traffic the session involves and to identify auser associated with the traffic flow (e.g., to identify anApplication-ID as described herein). For example, APP ID 412 canrecognize a GET request in the received data and conclude that thesession requires an HTTP decoder 414. As another example, APP ID 412 canrecognize a GTP-U message (e.g., N4 session establishmentrequest/response messages, and conclude that the session requires a GTPdecoder) (e.g., to extract information exchanged in the N4 sessionestablishment related messages including various parameters, such asInternational Mobile Subscription Identity (IMSI), International MobileEquipment Identifier (IMEI), Mobile Subscriber ISDN (MSISDN), and/orNetwork Access Identifier (NAI) related information) and conclude thatthe session requires a GTP decoder. For each type of protocol, thereexists a corresponding decoder 414. In one embodiment, the applicationidentification is performed by an application identification module(e.g., APP ID component/engine), and a user identification is performedby another component/engine. Based on the determination made by APP ID412, the packets are sent to an appropriate decoder 414. Decoder 414 isconfigured to assemble packets (e.g., which may be received out oforder) into the correct order, perform tokenization, and extract outinformation (e.g., such as described above to extract variousinformation exchanged in the N4 session establishment related messagesas similarly described above). Decoder 414 also performs signaturematching to determine what should happen to the packet. SSL encryptionengine 416 performs SSL encryption using various techniques as describedherein and the packets are then forwarded using a forward component 418as shown. As also shown, policies 420 are received and stored in themanagement plane 402. In one embodiment, policy enforcement (e.g.,policies can include one or more rules, which can be specified usingdomain and/or host/server names, and rules can apply one or moresignatures or other matching criteria or heuristics, such as forsecurity policy enforcement for subscriber/IP flows on service providernetworks based on various extracted parameters/information frommonitored HTTP/2 messages and/or DPI of monitored GTP-U traffic asdisclosed herein) is applied as described herein with respect to variousembodiments based on the monitored, decrypted, identified, and decodedsession traffic flows.

As also shown in FIG. 4, an interface (I/F) communicator 422 is alsoprovided for security platform manager communications (e.g., via (REST)APIs, messages, or network protocol communications or othercommunication mechanisms). In some cases, network communications ofother network elements on the service provider network are monitoredusing network device 400, and data plane 404 supports decoding of suchcommunications (e.g., network device 400, including I/F communicator 422and decoder 414, can be configured to monitor and/or communicate on, forexample, interfaces such as N2, N3, N4, N11, and/or other interfaceswhere wired and wireless network traffic flow exists as similarlydescribed herein). As such, network device 400 including I/Fcommunicator 422 can be used to implement the disclosed techniques forsecurity policy enforcement on mobile/service provider networkenvironments, including for cellular IoT battery drain prevention inmobile networks, as described above and as will be further describedbelow.

FIG. 5 is a screenshot diagram of a security policy for performingcellular IoT battery drain prevention in mobile networks in accordancewith some embodiments. Referring to FIG. 5, the example screen shot forconfiguring a security policy for a security platform includes anapplication (e.g., a misbehaving application) as shown at 502, asecurity profile with rate limiting rules for paging messages as shownat 504, and a User-ID column/field with TMSI and/or 5G-S-TMSIidentifiers as shown at 506 to facilitate performing the disclosedtechniques for performing cellular IoT battery drain prevention inmobile networks as similarly described above and further describedbelow.

Additional example processes for the disclosed techniques for performingenhanced security for CIoT on mobile/service provider networkenvironments will now be described.

Example Processes for Cellular IoT Battery Drain Prevention in MobileNetworks for Service Providers

FIG. 6 is a flow diagram of a process for performing cellular IoTbattery drain prevention in mobile networks in accordance with someembodiments. In some embodiments, a process 600 as shown in FIG. 6 isperformed by the security platform and techniques as similarly describedabove including the embodiments described above with respect to FIGS.1A-5. In one embodiment, process 600 is performed by data appliance 300as described above with respect to FIG. 3, network device 400 asdescribed above with respect to FIG. 4, a virtual appliance, an SDNsecurity solution, a cloud security service, and/or combinations orhybrid implementations of the aforementioned as described herein.

The process begins at 602. At 602, monitoring network traffic on aservice provider network at a security platform to identify amisbehaving application based on a security policy, wherein the serviceprovider network includes a 4G network or a 5G network, is performed.For example, the security platform (e.g., a firewall, a network sensoracting on behalf of the firewall, or another device/component that canimplement security policies) can monitor GTP-U and HTTP/2 traffic on themobile core network as similarly described above.

At 604, extracting subscription identifier information for networktraffic associated with the misbehaving application at the securityplatform is performed. For example, the security platform can parsevarious protocols and messages to extract the subscription identifierinformation (e.g., IMSI related information), using DPI-based firewalltechniques as similarly described above, such as with respect to FIGS.1A-C and 2.

At 606, associate the misbehaving application subscription identifierinformation with temporary mobile subscriber identifier information isperformed. For example, this operation of associating the misbehavingapplication subscription identifier information with temporary mobilesubscriber identifier information can be performed using a server/datastore (e.g., an external server/data store) and correlating the IMSI to,for example, a Temporary Mobile Subscriber Identity (TMSI) in 4Gnetworks and to a 5G-S-TMSI in 5G networks, as similarly describedabove, such as with respect to FIGS. 1A-C and 2.

At 608, enforcing the security policy at the security platform to ratelimit paging messages sent to an endpoint device using the subscriptionidentifier information and based on the security policy is performed.For example, various rate limiting/throttling enforcement actions can beperformed using the security platform as similarly described above, suchas with respect to FIGS. 1A-C and 2.

As will now be apparent in view of the disclosed embodiments, a networkservice provider/mobile operator (e.g., a cellular service providerentity), a device manufacturer (e.g., an automobile entity, IoT deviceentity, and/or other device manufacturer), and/or system integrators canspecify such security policies that can be enforced by a securityplatform using the disclosed techniques to solve these and othertechnical network security challenges for providing cellular IoT batterydrain prevention in mobile networks, including 4G and 5G networks.

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

What is claimed is:
 1. A system, comprising: a processor configured to:monitor network traffic on a service provider network at a securityplatform to identify a misbehaving application based on a securitypolicy, wherein the service provider network includes a 4G network or a5G network; extract subscription identifier information for networktraffic associated with the misbehaving application at the securityplatform, wherein the subscription identifier information is identifiedby International Mobile Subscription Identity (IMSI) relatedinformation; correlate the IMSI to a Temporary Mobile Subscriberidentity (TMSI) in the 4G network or a 5G-S-TMSI in the 5G network;parse a message in the network traffic to extract the TMSI or the5G-S-TMSI as a User-ID parameter for performing security policyenforcement; and enforce the security policy at the security platform torate limit paging messages sent to an endpoint device using thesubscription identifier information and based on the security policy,comprising to: enforce, using the User-ID, a configured threshold forthe rate limit paging messages to the endpoint device; and a memorycoupled to the processor and configured to provide the processor withinstructions.
 2. The system recited in claim 1, wherein the endpointdevice includes a cellular Internet of Things (IoT) device.
 3. Thesystem recited in claim 1, wherein the security platform is configuredwith a plurality of security policies for each of a plurality ofmisbehaving applications.
 4. The system recited in claim 1, wherein thesecurity platform parses Packet Forwarding Control Protocol (PFCP)Session Establishment Request and PFCP Session Establishment Responsemessages to extract the subscription identifier information.
 5. Thesystem recited in claim 1, wherein the security platform monitorswireless interfaces including a plurality of interfaces for a controlprotocol and user data traffic in a mobile core network for a 4Gnetwork.
 6. The system recited in claim 1, wherein the security platformmonitors wireless interfaces including a plurality of interfaces for acontrol protocol and user data traffic in a mobile core network for a 5Gnetwork.
 7. The system recited in claim 1, wherein the security platformis configured to perform a firewall service using the subscriptionidentifier information.
 8. A method, comprising: monitoring networktraffic on a service provider network at a security platform to identifya misbehaving application based on a security policy, wherein theservice provider network includes a 4G network or a 5G network;extracting subscription identifier information for network trafficassociated with the misbehaving application at the security platform;platform, wherein the subscription identifier information is identifiedby International Mobile Subscription Identity (IMSI) relatedinformation; correlating the IMSI to a Temporary Mobile Subscriberidentity (TMSI) in the 4G network or a 5G-S-TMSI in the 5G network;parsing a message in the network traffic to extract the TMSI or the5G-S-TMSI as a User-ID parameter for performing security policyenforcement and enforcing the security policy at the security platformto rate limit paging messages sent to an endpoint device using thesubscription identifier information and based on the security policy,comprising: enforcing, using the User-ID, a configured threshold for therate limit paging messages to the endpoint device.
 9. The method ofclaim 8, wherein the endpoint device includes a cellular Internet ofThings (IoT) device.
 10. The method of claim 8, wherein the securityplatform is configured with a plurality of security policies for each ofa plurality of misbehaving applications.
 11. The method of claim 8,wherein the security platform parses Packet Forwarding Control Protocol(PFCP) Session Establishment Request and PFCP Session EstablishmentResponse messages to extract the subscription identifier information,and wherein the subscription identifier information.
 12. The method ofclaim 8, wherein the security platform monitors wireless interfacesincluding a plurality of interfaces for a control protocol and user datatraffic in a mobile core network for a 4G network.
 13. The method ofclaim 8, wherein the security platform monitors wireless interfacesincluding a plurality of interfaces for a control protocol and user datatraffic in a mobile core network for a 5G network.
 14. The method ofclaim 8, wherein the security platform is configured to perform afirewall service using the subscription identifier information.
 15. Acomputer program product, the computer program product being embodied ina tangible non-transitory computer readable storage medium andcomprising computer instructions for: monitoring network traffic on aservice provider network at a security platform to identify amisbehaving application based on a security policy, wherein the serviceprovider network includes a 4G network or a 5G network; extractingsubscription identifier information for network traffic associated withthe misbehaving application at the security; platform, wherein thesubscription identifier information is identified by InternationalMobile Subscription Identity (IMSI) related information; correlating theIMSI to a Temporary Mobile Subscriber identity (TMSI) in the 4G networkor a 5G-S-TMSI in the 5G network; parsing a message in the networktraffic to extract the TMSI or the 5G-S-TMSI as a User-ID parameter forperforming security policy enforcement and enforcing the security policyat the security platform to rate limit paging messages sent to anendpoint device using the subscription identifier information and basedon the security policy, comprising: enforcing, using the User-ID, aconfigured threshold for the rate limit paging messages to the endpointdevice.
 16. The computer program product recited in claim 15, whereinthe endpoint device includes a cellular Internet of Things (IoT) device.17. The computer program product recited in claim 15, wherein thesecurity platform is configured with a plurality of security policiesfor each of a plurality of misbehaving applications.